Like a lot of competitors in the global launch industry, Russia for a long time dismissed the prospects of a reusable first stage for a rocket.
As late as 2016, an official with the Russian agency that develops strategy for the country’s main space corporation, Roscosmos, concluded, “The economic feasibility of reusable launch systems is not obvious.” In the dismissal of the landing prospects of SpaceX’s Falcon 9 rocket, Russian officials were not alone. Throughout the 2010s, competitors including space agencies in Europe and Japan, and US-based United Launch Alliance, all decided to develop expendable rockets.
However, by 2017, when SpaceX re-flew a Falcon 9 rocket for the first time, the writing was on the wall. “This is a very important step, we sincerely congratulate our colleague on this achievement,” then-Roscosmos CEO Igor Komarov said at the time. He even spoke of developing reusable components, such as rocket engines capable of multiple firings.
A Russian Grasshopper
That was more than seven years ago, however, and not much has happened in Russia since then to foster the development of a reusable rocket vehicle. Yes, Roscosmos unveiled plans for the “Amur” rocket in 2020, which was intended to have a reusable first stage and methane-fueled engines and land like the Falcon 9. But its debut has slipped year for year—originally intended to fly in 2026, its first launch is now expected no earlier than 2030.
Now, however, there is some interesting news from Moscow about plans to develop a prototype vehicle to test the ability to land the Amur rocket’s first stage vertically.
According to the state-run news agency, TASS, construction of this test vehicle will enable the space corporation to solve key challenges. “Next year preparation of an experimental stage of the (Amur) rocket, which everyone is calling ‘Grasshopper,’ will begin,” said Igor Pshenichnikov, the Roscosmos deputy director of the department of future programs. The Russian news article was translated for Ars by Rob Mitchell.
At the same time, the rest of WBD is in a period of duress as the cable and movie industries struggle. Films like Beetlejuice Beetlejuice failed to reach the same success as last year’s Barbie, sending WBD studios’ revenue down 17 percent and its theatrical revenue down 40 percent. As WBD CEO David Zaslav put it:
Inconsistency also remains an issue at our Motion Picture Studio, as reinforced recently by the disappointing results of Joker 2.
Some things that helped buoy WBD’s legacy businesses won’t be around the next time WBD execs speak to investors. This includes revenue from distributing the Olympics in Europe and gains from the Hollywood writers’ and actors’ strikes ending. With WBD’s networks business also understandably down, WBD’s overall revenue decreased 3 percent YoY. It’s natural for the company to lean more on its strongest leg (streaming) to help support the others.
WBD wants more streaming M&As
Today, Zaslav reiterated earlier stated beliefs that the burgeoning streaming industry needs more mergers and acquisitions activity to maintain profitability. He discussed complications for users, who have to consider various services’ pricing and are “Googling where a show is, or where a sport is, and you’re going from one to another, and there’s so many.” He added:
It’s not sustainable. And there probably should have been more meaningful consolidation… You’re starting to see fairly large players saying, ‘Hey, maybe I should be a part of you. Or maybe I should be a part of somebody else.’
Zaslav said that it’s too early to know if Donald Trump’s presidency will boost these interests. But he suggested that the incoming administration “may offer a pace of change and an opportunity for consolidation that may be quite different [and] that would provide a real positive and accelerated impact on this industry that’s needed.”
It’s also too early to know if streaming consolidation would help subscribers fed up with rising prices and growing ad loads. But for now, that’s about all we can bet on from streaming services like Max.
In the hearing, board member Jennifer Riebe (who voted to keep COVID-19 vaccinations available) worried about the potential of a slippery slope.
“My concern with this is the process because if this board and six county commissioners and one physician is going to make determinations on every single vaccine and pharmaceutical that we administer, I’m not comfortable with that,” she said, according to Boise State Public Radio. “It may be COVID now, maybe we’ll go down the same road with the measles vaccine or the shingles vaccine coverage.”
Board Chair Kelly Aberasturi, who also voted to keep the vaccines, argued that it should be a choice by individuals and their doctors, who sometimes refer their patients to the district for COVID shots. “So now, you’re telling me that I have the right to override that doctor? Because I know more than he does?” Aberasturi said.
“It has to do with the right of the individual to make that decision on their own. Not for me to dictate to them what they will do. Sorry, but this pisses me off,” he added.
According to Boise State Public Radio, the district had already received 50 COVID-19 vaccines at the time of the vote, which were slated to go to residents of a skilled nursing facility.
The situation in the southwest district may not be surprising given the state’s overall standing on vaccination: Idaho has the lowest kindergarten vaccination rates in the country, with coverage of key vaccinations sitting at around 79 percent to 80 percent, according to a recent analysis by the Centers for Disease Control and Prevention. The coverage is far lower than the 95 percent target set by health experts. That’s the level that would block vaccine-preventable diseases from readily spreading through a population. The target is out of reach for Idaho as a whole, which also has the highest vaccination exemption rate in the country, at 14.3 percent. Even if the state managed to vaccinate all non-exempt children, the coverage rate would only reach 85.7 percent, missing the 95 percent target by nearly 10 percentage points.
The 26 new cases represent a 50 percent increase in the case count from October 22, bringing the total to 75 cases. With the new cases, health officials also reported 12 more hospitalizations, including one new adult case of hemolytic uremic syndrome (HUS), a severe complication to an E. coli O157:H7 infection. Three more states are also newly affected: Michigan, New Mexico, and Washington.
In all, the outbreak now stands at 75 cases, including 22 hospitalizations and two cases of HUS, across 13 states. The number of deaths linked to the outbreak remains at one. The most recent illness onset for the cases identified so far is October 10.
The states with cases now include: Colorado (26 cases), Montana (13), Nebraska (11), New Mexico (5), Utah (5), Missouri (4), Wyoming (4), and Michigan (2), and one case each in Iowa, Kansas, Oregon, Washington, and Wisconsin.
The source of the outbreak has not yet been confirmed, but investigators have focused on the beef patties and slivered onions used on McDonald’s Quarter Pounders. McDonald’s immediately pulled the popular burger off the menu and paused distribution of the slivered onions from affected restaurants when the CDC announced the outbreak Tuesday. McDonald’s considered the affected areas to be Colorado, Kansas, Utah, and Wyoming, as well as portions of Idaho, Iowa, Missouri, Montana, Nebraska, Nevada, New Mexico, and Oklahoma.
Onions recalled and destroyed
On Wednesday, one of McDonald’s onion suppliers, Taylor Farms, recalled peeled and diced yellow onion products. Taylor Farms told Bloomberg earlier this week that its testing had not turned up E. coli, but that it decided to issue the recall anyway.
“When it’s close to the Earth, it’s close enough to the atmosphere to turn where it is,” she said. “Which means our adversaries don’t know—and that happens on the far side of the Earth from our adversaries—where it’s going to come up next. And we know that that drives them nuts. And I’m really glad about that.”
Breaking the silence
The Pentagon rarely releases an update on the X-37B spaceplane in the middle of a mission. During previous flights, military officials typically provided some basic information about the mission before its launch, then went silent until the X-37B returned for landing. The military keeps specifics about the spaceplane’s activities in orbit a secret.
This made the Space Force’s announcement Thursday somewhat of a surprise. When the seventh flight of the X-37B launched, there were indications that the spacecraft would soar into a much higher orbit than it did on any of its six prior missions.
In February, a sleuthing satellite tracking hobbyist spotted the X-37B in orbit by observing sunlight reflected off of the spacecraft as it flew thousands of miles above Earth. Follow-up detections confirmed the discovery, allowing amateur observers to estimate that the X-37B was flying in a highly elliptical orbit ranging between roughly 300 and 38,600 miles in altitude (186-by-23,985 miles). The orbit was inclined 59.1 degrees to the equator.
On its previous missions, the X-37B was confined to low-Earth orbit a few hundred miles above the planet. When it became apparent that the latest mission was cruising at a significantly higher altitude, analysts and space enthusiasts speculated on what the secret spaceplane was doing and how it would come back to Earth. A direct reentry into the atmosphere from the spaceplane’s elliptical orbit would expose the craft’s heat shield to hotter temperatures than any of its previous returns.
Now, we have an answer to the latter question.
As for what it’s doing up there, the Space Force said the spaceplane on this mission has “conducted radiation effect experiments and has been testing space domain awareness technologies in a highly elliptical orbit.” The orbit brings the X-37B through the Van Allen radiation belts and crosses several orbital regimes populated by US and foreign communications, navigation, and surveillance satellites.
Military officials have said previous X-37B flights have tested a Hall-effect ion thruster and tested other experimental space technologies without elaborating on their details. X-37Bs have also secretly deployed small military satellites in orbit.
Enlarge/ The second Intuitive Machines lander is prepared for hot-fire testing this week.
Intuitive Machines
One of the miracles of the Apollo Moon landings is that they were televised, live, for all the world to see. This transparency diffused doubts about whether the lunar landings really happened and were watched by billions of people.
However, as remarkable a technical achievement as it was to broadcast from the Moon in 1969, the video was grainy and black and white. As NASA contemplates a return to the Moon as part of the Artemis program, it wants much higher resolution video and communications with its astronauts on the lunar surface.
To that end, NASA announced this week that it had awarded a contract to Houston-based Intuitive Machines for “lunar relay services.” Essentially this means Intuitive Machines will be responsible for building a small constellation of satellites around the Moon that will beam data back to Earth from the lunar surface.
“One of the requirements is a 4K data link,” said Steve Altemus, co-founder and chief executive of Intuitive Machines, in an interview. “That kind of high fidelity data only comes from a data relay with a larger antenna than can be delivered to the surface of the Moon.”
About the plan
This is part of NASA’s plan to build a more robust “Near Space Network” for communications within 1 million miles of Earth (the Moon is about 240,000 miles from Earth). Intuitive Machines’ contract is worth as much as $4.82 billion over the next decade, depending on the level of communication services that NASA chooses to purchase.
The space agency is also expected to award a ground-based component of this network for large dishes to receive signals from near space, taking some of this burden off the Deep Space Network. Altemus said Intuitive Machines has also bid on this ground component contract.
The Houston company, with its IM-1 mission, made a largely successful landing on the Moon in February. A second lunar landing mission, IM-2, is scheduled to take place in late December or January, a few months from now. Funded largely by NASA, the IM-2 mission will carry a small drill to the South Pole of the Moon to search for water ice in Shackleton Crater.
Then, approximately 15 months from now, the company is planning to launch another lander, IM-3. This mission is likely to carry the first data-relay satellite—each is intended to be about 500 kg, Altemus said, but the final design of the vehicles is still being finalized—to lunar orbit. Assuming this first satellite works well, the two following IM missions will each carry two relay satellites, making for a constellation of five spacecraft orbiting the Moon.
Two of the satellites will go into polar orbits and serve NASA’s Artemis needs at the South Pole, Altemus said. Two more are likely to go into halo orbits, and a fifth satellite will be placed into an equatorial orbit. This will provide full coverage of the Moon not just for communications, but also for position, navigation, and timing.
Intuitive Machines rising
A former deputy director of Johnson Space Center, Altemus founded Intuitive Machines in 2013 along with an investor, Kam Ghaffarian, and an aerospace engineer named Tim Crain. It hasn’t always been easy. Development of Intuitive Machines’ Nova C lander took years longer than anticipated; there were setbacks such as a propellant tank failure, and money was at times tight.
In part to address these financial difficulties, the company went public in 2023, at the tail end of the mania in which space companies were becoming publicly traded via special purpose acquisition companies, or SPACs. Many space companies that went public this way have struggled mightily, and Intuitive Machines has also faced similar pressures.
“It’s been a challenge,” Altemus said. “We went public in 2023, and navigating that was the story of last year, as well as getting to the launch pad.”
But then good things started happening. Despite some technical troubles, including the failure of its altimeter, the company’s first lander managed a soft touchdown on the Moon on its side. Even with this untinended orientation, the Intuitive Machines-1 mission still managed to complete the vast majority of its science objectives. In August, the company won its fourth task order from NASA—essentially a lunar delivery mission—under the Commercial Lunar Payload Services program.
And then the company won the massive data relay contract this week.
“This has really been a transformational year for us,” Altemus said. “The vision for the company is finally coming together.”
Researchers have discovered more than 280 malicious apps for Android that use optical character recognition to steal cryptocurrency wallet credentials from infected devices.
The apps masquerade as official ones from banks, government services, TV streaming services, and utilities. In fact, they scour infected phones for text messages, contacts, and all stored images and surreptitiously send them to remote servers controlled by the app developers. The apps are available from malicious sites and are distributed in phishing messages sent to targets. There’s no indication that any of the apps were available through Google Play.
A high level of sophistication
The most notable thing about the newly discovered malware campaign is that the threat actors behind it are employing optical character recognition software in an attempt to extract cryptocurrency wallet credentials that are shown in images stored on infected devices. Many wallets allow users to protect their wallets with a series of random words. The mnemonic credentials are easier for most people to remember than the jumble of characters that appear in the private key. Words are also easier for humans to recognize in images.
SangRyol Ryu, a researcher at security firm McAfee, made the discovery after obtaining unauthorized access to the servers that received the data stolen by the malicious apps. That access was the result of weak security configurations made when the servers were deployed. With that, Ryu was able to read pages available to server administrators.
One page, displayed in the image below, was of particular interest. It showed a list of words near the top and a corresponding image, taken from an infected phone, below. The words represented visually in the image corresponded to the same words.
“Upon examining the page, it became clear that a primary goal of the attackers was to obtain the mnemonic recovery phrases for cryptocurrency wallets,” Ryu wrote. “This suggests a major emphasis on gaining entry to and possibly depleting the crypto assets of victims.”
Optical character recognition is the process of converting images of typed, handwritten, or printed text into machine-encoded text. OCR has existed for years and has grown increasingly common to transform characters captured in images into characters that can be read and manipulated by software.
Ryu continued:
This threat utilizes Python and Javascript on the server-side to process the stolen data. Specifically, images are converted to text using optical character recognition (OCR) techniques, which are then organized and managed through an administrative panel. This process suggests a high level of sophistication in handling and utilizing the stolen information.
Enlarge/ Python code for converting text shown in images to machine-readable text.
McAfee
People who are concerned they may have installed one of the malicious apps should check the McAfee post for a list of associated websites and cryptographic hashes.
The malware has received multiple updates over time. Whereas it once used HTTP to communicate with control servers, it now connects through WebSockets, a mechanism that’s harder for security software to parse. WebSockets have the added benefit of being a more versatile channel.
Developers have also updated the apps to better obfuscate their malicious functionality. Obfuscation methods include encoding the strings inside the code so they’re not easily read by humans, the addition of irrelevant code, and the renaming of functions and variables, all of which confuse analysts and make detection harder. While the malware is mostly restricted to South Korea, it has recently begun to spread within the UK.
“This development is significant as it shows that the threat actors are expanding their focus both demographically and geographically,” Ryu wrote. “The move into the UK points to a deliberate attempt by the attackers to broaden their operations, likely aiming at new user groups with localized versions of the malware.”
TikTok has been sending inaccurate and misleading news-style alerts to users’ phones, including a false claim about Taylor Swift and a weeks-old disaster warning, intensifying fears about the spread of misinformation on the popular video-sharing platform.
Among alerts seen by the Financial Times was a warning about a tsunami in Japan, labeled “BREAKING,” that was posted in late January, three weeks after an earthquake had struck.
Other notifications falsely stated that “Taylor Swift Canceled All Tour Dates in What She Called ‘Racist Florida’” and highlighted a five-year “ban” for a US baseball player that originated as an April Fool’s day prank.
The notifications, which sometimes contain summaries from user-generated posts, pop up on screen in the style of a news alert. Researchers say that format, adopted widely to boost engagement through personalized video recommendations, may make users less critical of the veracity of the content and open them up to misinformation.
“Notifications have this additional stamp of authority,” said Laura Edelson, a researcher at Northeastern University, in Boston. “When you get a notification about something, it’s often assumed to be something that has been curated by the platform and not just a random thing from your feed.”
Social media groups such as TikTok, X, and Meta are facing greater scrutiny to police their platforms, particularly in a year of major national elections, including November’s vote in the US. The rise of artificial intelligence adds to the pressure given that the fast-evolving technology makes it quicker and easier to spread misinformation, including through synthetic media, known as deepfakes.
TikTok, which has more than 1 billion global users, has repeatedly promised to step up its efforts to counter misinformation in response to pressure from governments around the world, including the UK and EU. In May, the video-sharing platform committed to becoming the first major social media network to label some AI-generated content automatically.
The false claim about Swift canceling her tour in Florida, which also circulated on X, mirrored an article published in May in the satirical newspaper The Dunning-Kruger Times, although this article was not linked or directly referred to in the TikTok post.
At least 20 people said on a comment thread that they had clicked on the notification and were directed to a video on TikTok repeating the claim, even though they did not follow the account. At least one person in the thread said they initially thought the notification “was a news article.”
Swift is still scheduled to perform three concerts in Miami in October and has not publicly called Florida “racist.”
Another push notification inaccurately stated that a Japanese pitcher who plays for the Los Angeles Dodgers faced a ban from Major League Baseball: “Shohei Ohtani has been BANNED from the MLB for 5 years following his gambling investigation… ”
The words directly matched the description of a post uploaded as an April Fools’ day prank. Tens of commenters on the original video, however, reported receiving alerts in mid-April. Several said they had initially believed it before they checked other sources.
Users have also reported notifications that appeared to contain news updates but were generated weeks after the event.
One user received an alert on January 23 that read: “BREAKING: A tsunami alert has been issued in Japan after a major earthquake.” The notification appeared to refer to a natural disaster warning issued more than three weeks earlier after an earthquake struck Japan’s Noto peninsula on New Year’s Day.
TikTok said it had removed the specific notifications flagged by the FT.
The alerts appear automatically to scrape the descriptions of posts that are receiving, or are likely to receive, high levels of engagement on the viral video app, owned by China’s ByteDance, researchers said. They seem to be tailored to users’ interests, which means that each one is likely to be limited to a small pool of people.
“The way in which those alerts are positioned, it can feel like the platform is speaking directly to [users] and not just a poster,” said Kaitlyn Regehr, an associate professor of digital humanities at University College London.
TikTok declined to reveal how the app determined which videos to promote through notifications, but the sheer volume of personalized content recommendations must be “algorithmically generated,” said Dani Madrid-Morales, co-lead of the University of Sheffield’s Disinformation Research Cluster.
Edelson, who is also co-director of the Cybersecurity for Democracy group, suggested that a responsible push notification algorithm could be weighted towards trusted sources, such as verified publishers or officials. “The question is: Are they choosing a high-traffic thing from an authoritative source?” she said. “Or is this just a high-traffic thing?”
Additional reporting by Hannah Murphy in San Francisco and Cristina Criddle in London.
When Ryan Castellucci recently acquired solar panels and a battery storage system for their home just outside of London, they were drawn to the ability to use an open source dashboard to monitor and control the flow of electricity being generated. Instead, they gained much, much more—some 200 megawatts of programmable capacity to charge or discharge to the grid at will. That’s enough energy to power roughly 40,000 homes.
Castellucci, whose pronouns are they/them, acquired this remarkable control after gaining access to the administrative account for GivEnergy, the UK-based energy management provider who supplied the systems. In addition to the control over an estimated 60,000 installed systems, the admin account—which amounts to root control of the company’s cloud-connected products—also made it possible for them to enumerate names, email addresses, usernames, phone numbers, and addresses of all other GivEnergy customers (something the researcher didn’t actually do).
“My plan is to set up Home Assistant and integrate it with that, but in the meantime, I decided to let it talk to the cloud,” Castellucci wrote Thursday, referring to the recently installed gear. “I set up some scheduled charging, then started experimenting with the API. The next evening, I had control over a virtual power plant comprised of tens of thousands of grid connected batteries.”
Still broken after all these years
The cause of the authentication bypass Castellucci discovered was a programming interface that was protected by an RSA cryptographic key of just 512 bits. The key signs authentication tokens and is the rough equivalent of a master-key. The bit sizes allowed Castellucci to factor the private key underpinning the entire API. The factoring required $70 in cloud computing costs and less than 24 hours. GivEnergy introduced a fix within 24 hours of Castellucci privately disclosing the weakness.
The first publicly known instance of 512-bit RSA being factored came in 1999 by an international team of more than a dozen researchers. The feat took a supercomputer and hundreds of other computers seven months to carry out. By 2009 hobbyists spent about three weeks to factor 13 512-bit keys protecting firmware in Texas Instruments calculators from being copied. In 2015, researchers demonstrated factoring as a service, a method that used Amazon cloud computing, cost $75, and took about four hours. As processing power has increased, the resources required to factor keys has become ever less.
It’s tempting to fault GivEnergy engineers for pinning the security of its infrastructure on a key that’s trivial to break. Castellucci, however, said the responsibility is better assigned to the makers of code libraries developers rely on to implement complex cryptographic processes.
“Expecting developers to know that 512 bit RSA is insecure clearly doesn’t work,” the security researcher wrote. “They’re not cryptographers. This is not their job. The failure wasn’t that someone used 512 bit RSA. It was that a library they were relying on let them.”
Castellucci noted that OpenSSL, the most widely used cryptographic code library, still offers the option of using 512-bit keys. So does the Go crypto library. Coincidentally, the Python cryptography library removed the option only a few weeks ago (the commit for the change was made in January).
In an email, a GivEnergy representative reinforced Castellucci’s assessment, writing:
In this case, the problematic encryption approach was picked up via a 3rd party library many years ago, when we were a tiny startup company with only 2, fairly junior software developers & limited experience. Their assumption at the time was that because this encryption was available within the library, it was safe to use. This approach was passed through the intervening years and this part of the codebase was not changed significantly since implementation (so hadn’t passed through the review of the more experienced team we now have in place).
IA reported in a blog post this month that publishers abruptly forcing these takedowns triggered a “devastating loss” for readers who depend on IA to access books that are otherwise impossible or difficult to access.
To restore access, IA is now appealing, hoping to reverse the prior court’s decision by convincing the US Court of Appeals in the Second Circuit that IA’s controlled digital lending of its physical books should be considered fair use under copyright law. An April court filing shows that IA intends to argue that the publishers have no evidence that the e-book market has been harmed by the open library’s lending, and copyright law is better served by allowing IA’s lending than by preventing it.
“We use industry-standard technology to prevent our books from being downloaded and redistributed—the same technology used by corporate publishers,” Chris Freeland, IA’s director of library services, wrote in the blog. “But the publishers suing our library say we shouldn’t be allowed to lend the books we own. They have forced us to remove more than half a million books from our library, and that’s why we are appealing.”
IA will have an opportunity to defend its practices when oral arguments start in its appeal on June 28.
“Our position is straightforward; we just want to let our library patrons borrow and read the books we own, like any other library,” Freeland wrote, while arguing that the “potential repercussions of this lawsuit extend far beyond the Internet Archive” and publishers should just “let readers read.”
“This is a fight for the preservation of all libraries and the fundamental right to access information, a cornerstone of any democratic society,” Freeland wrote. “We believe in the right of authors to benefit from their work; and we believe that libraries must be permitted to fulfill their mission of providing access to knowledge, regardless of whether it takes physical or digital form. Doing so upholds the principle that knowledge should be equally and equitably accessible to everyone, regardless of where they live or where they learn.”
Internet Archive fans beg publishers to end takedowns
After publishers won an injunction stopping IA’s digital lending, which “limits what we can do with our digitized books,” IA’s help page said, the open library started shrinking. While “removed books are still available to patrons with print disabilities,” everyone else has been cut off, causing many books in IA’s collection to show up as “Borrow Unavailable.”
Ever since, IA has been “inundated” with inquiries from readers all over the world searching for the removed books, Freeland said. And “we get tagged in social media every day where people are like, ‘why are there so many books gone from our library’?” Freeland told Ars.
In an open letter to publishers signed by nearly 19,000 supporters, IA fans begged publishers to reconsider forcing takedowns and quickly restore access to the lost books.
Among the “far-reaching implications” of the takedowns, IA fans counted the negative educational impact of academics, students, and educators—”particularly in underserved communities where access is limited—who were suddenly cut off from “research materials and literature that support their learning and academic growth.”
They also argued that the takedowns dealt “a serious blow to lower-income families, people with disabilities, rural communities, and LGBTQ+ people, among many others,” who may not have access to a local library or feel “safe accessing the information they need in public.”
“Your removal of these books impedes academic progress and innovation, as well as imperiling the preservation of our cultural and historical knowledge,” the letter said.
“This isn’t happening in the abstract,” Freeland told Ars. “This is real. People no longer have access to a half a million books.”
One day last October, subscribers to an ISP known as Windstream began flooding message boards with reports their routers had suddenly stopped working and remained unresponsive to reboots and all other attempts to revive them.
“The routers now just sit there with a steady red light on the front,” one user wrote, referring to the ActionTec T3200 router models Windstream provided to both them and a next door neighbor. “They won’t even respond to a RESET.”
In the messages—which appeared over a few days beginning on October 25—many Windstream users blamed the ISP for the mass bricking. They said it was the result of the company pushing updates that poisoned the devices. Windstream’s Kinetic broadband service has about 1.6 million subscribers in 18 states, including Iowa, Alabama, Arkansas, Georgia, and Kentucky. For many customers, Kinetic provides an essential link to the outside world.
“We have 3 kids and both work from home,” another subscriber wrote in the same forum. “This has easily cost us $1,500+ in lost business, no tv, WiFi, hours on the phone, etc. So sad that a company can treat customers like this and not care.”
After eventually determining that the routers were permanently unusable, Windstream sent new routers to affected customers. Black Lotus has named the event Pumpkin Eclipse.
A deliberate act
A report published Thursday by security firm Lumen Technologies’ Black Lotus Labs may shed new light on the incident, which Windstream has yet to explain. Black Lotus Labs researchers said that over a 72-hour period beginning on October 25, malware took out more than 600,000 routers connected to a single autonomous system number, or ASN, belonging to an unnamed ISP.
While the researchers aren’t identifying the ISP, the particulars they report match almost perfectly with those detailed in the October messages from Windstream subscribers. Specifically, the date the mass bricking started, the router models affected, the description of the ISP, and the displaying of a static red light by the out-of-commission ActionTec routers. Windstream representatives declined to answer questions sent by email.
According to Black Lotus, the routers—conservatively estimated at a minimum of 600,000—were taken out by an unknown threat actor with equally unknown motivations. The actor took deliberate steps to cover their tracks by using commodity malware known as Chalubo, rather than a custom-developed toolkit. A feature built into Chalubo allowed the actor to execute custom Lua scripts on the infected devices. The researchers believe the malware downloaded and ran code that permanently overwrote the router firmware.
“We assess with high confidence that the malicious firmware update was a deliberate act intended to cause an outage, and though we expected to see a number of router make and models affected across the internet, this event was confined to the single ASN,” Thursday’s report stated before going on to note the troubling implications of a single piece of malware suddenly severing the connections of 600,000 routers.
The researchers wrote:
Destructive attacks of this nature are highly concerning, especially so in this case. A sizeable portion of this ISP’s service area covers rural or underserved communities; places where residents may have lost access to emergency services, farming concerns may have lost critical information from remote monitoring of crops during the harvest, and health care providers cut off from telehealth or patients’ records. Needless to say, recovery from any supply chain disruption takes longer in isolated or vulnerable communities.
After learning of the mass router outage, Black Lotus began querying the Censys search engine for the affected router models. A one-week snapshot soon revealed that one specific ASN experienced a 49 percent drop in those models just as the reports began. This amounted to the disconnection of at least 179,000 ActionTec routers and more than 480,000 routers sold by Sagemcom.
Black Lotus Labs
The constant connecting and disconnecting of routers to any ISP complicates the tracking process, because it’s impossible to know if a disappearance is the result of the normal churn or something more complicated. Black Lotus said that a conservative estimate is that at least 600,000 of the disconnections it tracked were the result of Chaluba infecting the devices and, from there, permanently wiping the firmware they ran on.
After identifying the ASN, Black Lotus discovered a complex multi-path infection mechanism for installing Chaluba on the routers. The following graphic provides a logical overview.
Black Lotus Labs
There aren’t many known precedents for malware that wipes routers en masse in the way witnessed by the researchers. Perhaps the closest was the discovery in 2022 of AcidRain, the name given to malware that knocked out 10,000 modems for satellite Internet provider Viasat. The outage, hitting Ukraine and other parts of Europe, was timed to Russia’s invasion of the smaller neighboring country.
A Black Lotus representative said in an interview that researchers can’t rule out that a nation-state is behind the router-wiping incident affecting the ISP. But so far, the researchers say they aren’t aware of any overlap between the attacks and any known nation-state groups they track.
The researchers have yet to determine the initial means of infecting the routers. It’s possible the threat actors exploited a vulnerability, although the researchers said they aren’t aware of any known vulnerabilities in the affected routers. Other possibilities are the threat actor abused weak credentials or accessed an exposed administrative panel.
An attack unlike any other
While the researchers have analyzed attacks on home and small office routers before, they said two things make this latest one stand out. They explained:
First, this campaign resulted in a hardware-based replacement of the affected devices, which likely indicates that the attacker corrupted the firmware on specific models. The event was unprecedented due to the number of units affected—no attack that we can recall has required the replacement of over 600,000 devices. In addition, this type of attack has only ever happened once before, with AcidRain used as a precursor to an active military invasion.
They continued:
The second unique aspect is that this campaign was confined to a particular ASN. Most previous campaigns we’ve seen target a specific router model or common vulnerability and have effects across multiple providers’ networks. In this instance, we observed that both Sagemcom and ActionTec devices were impacted at the same time, both within the same provider’s network.This led us to assess it was not the result of a faulty firmware update by a single manufacturer, which would normally be confined to one device model or models from a given company. Our analysis of the Censys data shows the impact was only for the two in question. This combination of factors led us to conclude the event was likely a deliberate action taken by an unattributed malicious cyber actor, even if we were not able to recover the destructive module.
With no clear idea how the routers came to be infected, the researchers can only offer the usual generic advice for keeping such devices free of malware. That includes installing security updates, replacing default passwords with strong ones, and regular rebooting. ISPs and other organizations that manage routers should follow additional advice for securing the management interfaces for administering the devices.
Thursday’s report includes IP addresses, domain names, and other indicators that people can use to determine if their devices have been targeted or compromised in the attacks.
Infrastructure used to maintain and distribute the Linux operating system kernel was infected for two years, starting in 2009, by sophisticated malware that managed to get a hold of one of the developers’ most closely guarded resources: the /etc/shadow files that stored encrypted password data for more than 550 system users, researchers said Tuesday.
The unknown attackers behind the compromise infected at least four servers inside kernel.org, the Internet domain underpinning the sprawling Linux development and distribution network, the researchers from security firm ESET said. After obtaining the cryptographic hashes for 551 user accounts on the network, the attackers were able to convert half into plaintext passwords, likely through password-cracking techniques and the use of an advanced credential-stealing feature built into the malware. From there, the attackers used the servers to send spam and carry out other nefarious activities. The four servers were likely infected and disinfected at different times, with the last two being remediated at some point in 2011.
Stealing kernel.org’s keys to the kingdom
An infection of kernel.org came to light in 2011, when kernel maintainers revealed that 448 accounts had been compromised after attackers had somehow managed to gain unfettered, or “root,” system access to servers connected to the domain. Maintainers reneged on a promise to provide an autopsy of the hack, a decision that has limited the public’s understanding of the incident.
Besides revealing the number of compromised user accounts, representatives of the Linux Kernel Organization provided no details other than saying that the infection:
Occurred no later than August 12, 2011, and wasn’t detected for another 17 days
Installed an off-the-shelf rootkit known as Phalanx on multiple servers and personal devices belonging to a senior Linux developer
Modified the files that both servers and end user devices inside the network used to connect through OpenSSH, an implementation of the SSH protocol for securing remote connections.
In 2014, ESET researchers said the 2011 attack likely infected kernel.org servers with a second piece of malware they called Ebury. The malware, the firm said, came in the form of a malicious code library that, when installed, created a backdoor in OpenSSH that provided the attackers with a remote root shell on infected hosts with no valid password required. In a little less than 22 months, starting in August 2011, Ebury spread to 25,000 servers. Besides the four belonging to the Linux Kernel Organization, the infection also touched one or more servers inside hosting facilities and an unnamed domain registrar and web hosting provider.
A 47-page report summarizing Ebury’s 15-year history said that the infection hitting the kernel.org network began in 2009, two years earlier than the domain was previously thought to have been compromised. The report said that since 2009, the OpenSSH-dwelling malware has infected more than 400,000 servers, all running Linux except for about 400 FreeBSD servers, a dozen OpenBSD and SunOS servers, and at least one Mac.
Researcher Marc-Etienne M. Léveillé wrote:
In our 2014 paper, we mentioned that there was evidence that kernel.org, hosting the source code of the Linux kernel, had been a victim of Ebury. Data now at our disposal reveals additional details about the incident. Ebury had been installed on at least four servers belonging to the Linux Foundation between 2009 and 2011. It seems these servers acted as mail servers, name servers, mirrors, and source code repositories at the time of the compromise. We cannot tell for sure when Ebury was removed from each of the servers, but since it was discovered in 2011 it is likely that two of the servers were compromised for as long as two years, one for one year and the other for six months.
The perpetrator also had copies of the /etc/shadow files, which overall contained 551 unique username and hashed password pairs. The cleartext passwords for 275 of those users (50%) are in possession of the attackers. We believe that the cleartext passwords were obtained by using the installed Ebury credential stealer, and by brute force.
The researcher said in an email that the Ebury and Phalanx infections appear to be separate compromises by two unrelated threat groups. Representatives of the Linux Kernel Organization didn’t respond to emails asking if they were aware of the ESET report or if its claims were accurate. There is no indication that either infection resulted in tampering with the Linux kernel source code.
